Following the recent disclosure of a massive data breach that affected nearly 40 million customers, retail giant Target has now confirmed that encrypted PIN data from card transactions was accessed by hackers.
Target, which on Dec. 23 confirmed it was working with the United States Secret Service and the Department of Justice to investigate to investigate the incident, has reversed earlier statements that PIN numbers had not been compromised in the breach.
“While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” a Target spokesperson told SecurityWeek on Friday in an emailed statement.
While encrypted PIN numbers may have been accessed by attackers, Target is confident that because the information was fully encrypted, customers should not panic.
“We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the statement continued.
According to the retail giant, when a customer uses a debit card in a Target store and enters a PIN, the PIN is encrypted at the keypad using the popular Triple DES encryption standard.
Target said it does store the encryption key in its system, and that it does not have access to the encryption key used to store PIN data.
“The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the company explained.
“What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.”
According to Target, debit card accounts have not been compromised due to the encrypted PIN numbers being taken.